From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 26 Nov 2024 17:51:21 +0000 (-0500)
Subject: docs/rgw: deprecate tenant-based IAM in favor of accounts
X-Git-Tag: v20.0.0~436^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b875c783ef70b8305bc8d22bd14ec72b7f119b4e;p=ceph.git

docs/rgw: deprecate tenant-based IAM in favor of accounts

the user account feature was intended to cover all of the use cases of
the previous tenant-based IAM/STS integration. announce deprecation of
tenant-based IAM for the T release and removal for T+2

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 146cab64d6fb..00555adaac80 100644
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -1,5 +1,16 @@
 >=20.0.0
 
+* RGW: The User Account feature introduced in Squid provides first-class support for
+  IAM APIs and policy. Our preliminary STS support was instead based on tenants, and
+  exposed some IAM APIs to admins only. This tenant-level IAM functionality is now
+  deprecated in favor of accounts. While we'll continue to support the tenant feature
+  itself for namespace isolation, the following features will be removed no sooner
+  than the V release:
+    * tenant-level IAM APIs like CreateRole, PutRolePolicy and PutUserPolicy,
+    * use of tenant names instead of accounts in IAM policy documents,
+    * interpretation of IAM policy without cross-account policy evaluation,
+    * S3 API support for cross-tenant names such as `Bucket='tenant:bucketname'`
+
 * RBD: All Python APIs that produce timestamps now return "aware" `datetime`
   objects instead of "naive" ones (i.e. those including time zone information
   instead of those not including it).  All timestamps remain to be in UTC but